Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved]Which of these VPN protocols is the safest?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1303

PostPosted: Thu Dec 21, 2017 1:21 pm    Post subject: [solved]Which of these VPN protocols is the safest? Reply with quote

Hello@,
for a vpn connection I have the choice between:
PPTP
L2TP
SSTP
IKEv2
OpenVPN UDP
OpenVPN TCP

My question is: Which of these protocols is the safest?
Is it possible to rank them in terms of security? Like 1. 2. 3.
On the Internet, there are the most diverse views on this.
Sometimes had I think it's like a question of faith.

I am grateful for every hint and thank you already now.
Ma
_________________
Thank you for your attention, interest and support.


Last edited by Marlo on Fri Jan 05, 2018 2:00 pm; edited 1 time in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 40995
Location: 56N 3W

PostPosted: Thu Dec 21, 2017 1:30 pm    Post subject: Reply with quote

Marlo,

VPN products usually use a combination.
L2TP provides a tunnel, with no security at all, so its used with something else to provide security.

Who will be running the remote VPN endpoint?
You need to be able to trust them, since they will be decrypting all your VPN traffic. You didn't ask about that.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1303

PostPosted: Thu Dec 21, 2017 2:30 pm    Post subject: Reply with quote

NeddySeagoon wrote:

Who will be running the remote VPN endpoint?
You need to be able to trust them, since they will be decrypting all your VPN traffic. You didn't ask about that.

It is a commercial provider.
NeddySeagoon I realize that the endpoint operator can see everything. I do not want to protect anything from state secret services. (is this seriously possible at the present time?). i just want good protection against normal internet crime. A VPN for desktop, notebook and smartphone.

For my smartphone, I now have an SSH connection to my desktop and go from there to the internet. But that is slow. So I want to spend some money and rent a service from a VPN provider. I found a provider that offers the above protocols.
I may be able to set up these protocols, but not evaluate them professionally.

That's why my question. And thank you for your suggestion.
_________________
Thank you for your attention, interest and support.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2332

PostPosted: Thu Dec 21, 2017 3:04 pm    Post subject: Reply with quote

The only one of those things which is an encryption cipher is ikev2. The rest of them are protocols which may or may not be coupled with encryption.

Which cipher you use depends on who you don't trust, who (that you don't trust) has access to the route you're sending packets through, and whether the cipher is known to be hacked, or how easy it will likely to be to hack it.

The reason for the diverse opinions is that different people want to hide information from different groups, and there is no consensus as to who the biggest threat might be.

Your only way out of this is research and informed choice.
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1303

PostPosted: Thu Dec 21, 2017 5:18 pm    Post subject: Reply with quote

1clue wrote:
The only one of those things which is an encryption cipher is ikev2.

Yes, thank you. That would be a solution with Openswan or StrongSWAN or LibreSWAN? Installed on a small rented Xen VPS . The costs to a commercial VPN provider are the same.

I still have to find out if and how to install it on my Android before I buy something.
Thank you very much 1clue. Good idea.

Of course, the question raised by NeddySeagoon remains open.
Can I trust the endpoint provider?
_________________
Thank you for your attention, interest and support.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 40995
Location: 56N 3W

PostPosted: Thu Dec 21, 2017 5:54 pm    Post subject: Reply with quote

Marlo,

Your android will offer a choice. Loox under Settings/Wireless &/Networks. One of the options is VPN

I get PPTP and L2TP/IPSec with various secret sharing systems.

If you want Windows compatibility you need L2TP/IPSec, probably with a Pre Shared Key (PSK).
IPSec provides the security and L2TP provides the tunnel.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2332

PostPosted: Thu Dec 21, 2017 6:16 pm    Post subject: Reply with quote

PPTP has been tagged as unsafe by some software.

I use OpenVPN in tap mode. You said udp or tcp, that's not how it works.

OpenVPN has two main modes: TUN vs TAP.

TUN is a conventional tunnel implemented in TCP. Your client looks like a computer from another network.

TAP is an emulation of a network card on the remote network. Your client looks like a computer directly attached to the remote network. You have access to pretty much anything that a local system would have access to, unless specifically barred by firewall rules for the vpn connection.

Some software refuses to allow connections from a remote network in spite of what your firewall says. For example, IPMI server control, or ESXi management (I think) has this limit. If you use TUN you can't access those devices. If you use TAP you can.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2332

PostPosted: Thu Dec 21, 2017 6:19 pm    Post subject: Reply with quote

Marlo wrote:
1clue wrote:
The only one of those things which is an encryption cipher is ikev2.

Yes, thank you. That would be a solution with Openswan or StrongSWAN or LibreSWAN? Installed on a small rented Xen VPS . The costs to a commercial VPN provider are the same.

I still have to find out if and how to install it on my Android before I buy something.
Thank you very much 1clue. Good idea.

Of course, the question raised by NeddySeagoon remains open.
Can I trust the endpoint provider?


You need to read a bunch before you buy anything.

With most VPN arrangements you can specify what ciphers to use separately of your choice of tunnel protocols. Most people probably just use whatever the default is, which is much easier but less safe.
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1303

PostPosted: Thu Dec 21, 2017 6:27 pm    Post subject: Reply with quote

1clue wrote:

You need to read a bunch before you buy anything.


On my Android, I have installed the app "OpenVPN Connect". This is possible via TCP. But I do not know so fast now, whether about TUN or TAP.
I think I have to invest more time.

Many thanks for the suggestions
_________________
Thank you for your attention, interest and support.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2332

PostPosted: Thu Dec 21, 2017 6:29 pm    Post subject: Reply with quote

TAP is slower.
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1303

PostPosted: Thu Dec 21, 2017 6:36 pm    Post subject: Reply with quote

Ah, here. I got it:
Code:
client
dev tun
proto tcp
remote XXX-XXXX.net 80
persist-key
persist-tun
ca ca.crt
tls-auth my.key 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0
float
auth-user-pass
auth-retry interact

_________________
Thank you for your attention, interest and support.
Back to top
View user's profile Send private message
havana8
n00b
n00b


Joined: 17 Nov 2017
Posts: 16

PostPosted: Fri Jan 05, 2018 9:41 am    Post subject: Reply with quote

I also consider PPTP as unsafe. Perhaps this article might be beneficial as to give you a brief info on different network protocols and some of the disadvantages they have. There is also a paragraph for the perks of UDP and TPC. Personally, I would suggest using an OpenVPN :)
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Fri Jan 05, 2018 11:47 am    Post subject: Reply with quote

1clue wrote:
I use OpenVPN in tap mode. You said udp or tcp, that's not how it works.


OpenVPN can run over either UDP or TCP protocol.

TAP or TUN are the devices presented on the client/server host.
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1303

PostPosted: Fri Jan 05, 2018 1:58 pm    Post subject: Reply with quote

havana8 wrote:
... Perhaps this article might be beneficial ...I would suggest using an OpenVPN :)



thanks havana8,
The link was very useful to me. In the meantime, I had opted for OpenVPN. :)

By the way: I did not know that 1 & 1 has such a good know-how side. There are many useful hints. Thanks for that too!

Ma
_________________
Thank you for your attention, interest and support.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2332

PostPosted: Fri Jan 05, 2018 4:12 pm    Post subject: Reply with quote

chiefbag wrote:
1clue wrote:
I use OpenVPN in tap mode. You said udp or tcp, that's not how it works.


OpenVPN can run over either UDP or TCP protocol.

TAP or TUN are the devices presented on the client/server host.


I didn't know that.

WRT UDP or TCP, I would recommend UDP then. TCP is a 'guaranteed delivery' protocol, and if a packet is dropped then the entire stream is halted until that packet can be correctly delivered. In real life situations where there is packet loss, UDP can continue happily when one packet has gone missing, the client can request that packet again while still receiving other packets.

This is regardless of what's being transferred.

Back in the 90s I worked at IBM. They had this guaranteed network protocol, I think it was called anynet or something like that. It was 'always on' supposedly under any circumstances. It was much faster to send data over regular tcp/ip, and with some experimentation we found that UDP was fastest of all but you had to code for the resending of packets yourself. The event that caused us to experiment was our "always on" network was down for like a day and a half.

Of course regular ethernet-to-ethernet without any ip addresses would be faster still, but not practical unless everything is on the same lan.
Back to top
View user's profile Send private message
toofied
n00b
n00b


Joined: 26 Oct 2016
Posts: 20

PostPosted: Sat Jan 06, 2018 4:39 pm    Post subject: Re: [solved]Which of these VPN protocols is the safest? Reply with quote

Marlo wrote:
Hello@,
My question is: Which of these protocols is the safest?
Ma


OpenVPN. (UDP is faster than TCP) It has been recently audited by OSTIF

You also forgot to mention wireguard which is likely more secure, but needs more testing in the wild.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3340

PostPosted: Sat Jun 23, 2018 4:26 pm    Post subject: Reply with quote

1clue wrote:
chiefbag wrote:
1clue wrote:
I use OpenVPN in tap mode. You said udp or tcp, that's not how it works.


OpenVPN can run over either UDP or TCP protocol.

TAP or TUN are the devices presented on the client/server host.


I didn't know that.

WRT UDP or TCP, I would recommend UDP then. TCP is a 'guaranteed delivery' protocol, and if a packet is dropped then the entire stream is halted until that packet can be correctly delivered. In real life situations where there is packet loss, UDP can continue happily when one packet has gone missing, the client can request that packet again while still receiving other packets.

This is regardless of what's being transferred.

Back in the 90s I worked at IBM. They had this guaranteed network protocol, I think it was called anynet or something like that. It was 'always on' supposedly under any circumstances. It was much faster to send data over regular tcp/ip, and with some experimentation we found that UDP was fastest of all but you had to code for the resending of packets yourself. The event that caused us to experiment was our "always on" network was down for like a day and a half.

Of course regular ethernet-to-ethernet without any ip addresses would be faster still, but not practical unless everything is on the same lan.


The real problem with TCP for your tunnel is that you may then be tunneling TCP through it. At that point you have two "reliable" protocols running at the same time, and they can work against each other. Run your tunnel over UDP, and then you can tunnel TCP through it without that kind of problems. I run my own OpenVPN endpoint, and have the Android OpenVPN client that can attach to it. I only route my local server traffic through it, not all of my traffic. I also have https-everywhere installed, so count on that to keep most of my traffic safe, though of course the metadata is still exposed. I should look into routing all traffic through OpenVPN, I know it's an option.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
krullis
n00b
n00b


Joined: 17 Jun 2018
Posts: 5

PostPosted: Sun Jun 24, 2018 7:32 am    Post subject: Reply with quote

Avoid pptp and l2tp, they have been unsecure for long time and should not be used anymore. Even apple have remove support for them in there OS as they not secure.
OpenVPN should be most secure if its configured properly.
SSTP should be OK aswell but is only supported in Windows I think
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1677

PostPosted: Sun Jun 24, 2018 10:05 am    Post subject: Reply with quote

l2tp is not supposed to be secure. That's why it's usually coupled with ipsec.
What's so bad about pptp? I'm curious
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum